Forum Discussion
Chura_16140
Nimbostratus
NimbostratusDNS Query - reply from unexpected source
Hi Guys,
I'm new to F5, and something annoy me i can't find why it happen.
My topology:
Network (Public IP - Pretend its 100.100.100.0/24) --> Switch Stack --> LAG --> Viprion LTM --> Cisco CRS --> WWW
I have Viprion 4800 and for now i just wanna allow traffic to go outside, here are my questions :
1. I've added virtual-server with 0.0.0.0/0.0.0.0 as Forwarding (IP) to allow the LAN to have connectivity.
but unless i open virtual server back inside (100.100.100.0/255.255.255.0) i have no connectivity. Isn't it statefull ?
2. After i open the rule I talked about in (1). i have this message when i try simple resolving from server behind the F5.
[ip@qa-env ~]$ host google.com 8.8.4.4
;; reply from unexpected source: 8.8.4.425965, expected 8.8.4.453
tcpdump show this
22:45:39.033309 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)
22:45:39.033315 IP 100.100.100.40.39945 > 8.8.4.4.53: 8917+ A? google.com. (27)
22:45:39.123868 IP 8.8.4.4.53 > 100.100.100.40.39945: 8917 1/0/0 A 173.194.41.69 (43)
22:45:39.123884 IP 8.8.4.4.25965 > 100.100.100.40.39945: UDP, length 43
So the packets goes all good until the return packet back to the F5 and then he alter the port!
What am i missing ?
*remember, i have public ip on the server. i just changed it to 100.100.100.40 for the example.
my Virtuals
ltm virtual MNG_ALLOW_ALL_OUT {
description "Management Rule - Allow All Traffic Outside"
destination 0.0.0.0:any
ip-forward
mask any
profiles {
fastL4 { }
}
translate-address disabled
translate-port disabled
vlans {
DNS_LAN
LDAP_LAN
RADIUS_LAN
}
vlans-enabled
}
ltm virtual MNG_QA_ENV_IN {
description "Management Rule - Allow Radius traffic in"
destination 100.100.100.0:any
ip-forward
mask 255.255.255.0
profiles {
fastL4 { }
}
translate-address disabled
translate-port disabled
vlans {
CRS1.WAN
CRS2.WAN
}
vlans-enabled
}
What_Lies_Bene1Cirrostratus
I feel vindicated =]
Persistence would only work on the outbound connection anyway. I'm still not sure why the source port would change regardless of the link used, although the MAC would which could be an issue in itself?
Chura_16140i'm not sure, i'm still learning this F5 and i dont get why it behave this way.
I have dozen of devices in my network, every single one of them have 2 uplinks to my COREs and non of my client/server have issue.
I find the F5 might be very good LB and in he's main features however very bad routing device (which after all goes hand to hand)- What_Lies_Bene1Sorry, I thought you meant the internet links, did you mean the LAG?
- Chura_16140i did, the internet links (My CORES)
the Lag is toward the stack switch, its not related.
Anyway, its time to contact F5 (Again unfortunately).
Steve, Thanks for the time invested, great community! - What_Lies_Bene1OK, you're welcome. Let us know if you get a resolution, I'm dying to know.
- Chura_16140
Ok, Here's the deal.
I have two uplinks that does Active-Active load sharing with IS-IS. Vlan for each uplink.
The F5 doesnt know how to handle Asymetric traffic therefore consider the return packet as new connection.
For now i've changed the IS-IS metrics to one uplink only to solve this. meanwhile the vendor here check the effect of activating a "Allow Asymetric" route on the chassic performance.
Once again, thanks for time invested in my case :)
- What_Lies_Bene1Thanks, very interesting, especially the information that there's a dedicated VLAN per link. I wonder if a VLAN Group could be useful? Please do post again if there's some setting on the F5 that resolves the issue.
- Cellcom_IP_EngiSince i'm using IS-IS i'm not happy to have shared vlan between my CORE and F5.
The IS-IS will built neighbor with F5, however with each other as well. - What_Lies_Bene1Fair enough. Again, let us know what that magic setting is when you do.